A proof-of-concept (PoC) exploit has been released for a critical unauthenticated remote code execution (RCE) vulnerability in Fortinet FortiSIEM, tracked as CVE-2023-34992. Discovered by researchers at Horizon3.ai during an audit of Fortinet appliances, this vulnerability has a CVSS score of 10.0, indicating its severe impact. Fortinet FortiSIEM is a robust Security Information and Event Management (SIEM) solution that offers log collection, correlation, automated response, and remediation capabilities. The flaw was identified in the doPost method of the LicenseUploadServlet, which insufficiently sanitizes user input, allowing attackers to inject arbitrary commands.
The vulnerability resides within the backend web service deployed via the Glassfish Java framework, specifically within the LicenseUploadServlet.class. By exploiting this flaw, unauthenticated attackers can execute arbitrary commands as the root user, enabling them to read sensitive information and secrets from integrated systems. This could facilitate further lateral movement within the network, potentially leading to widespread compromise. The PoC demonstrates the method to leverage this vulnerability, showcasing the ease with which an attacker can gain control over the affected system.
Fortinet has addressed this critical vulnerability in recent updates. Versions from 6.4.0 to 7.1.1 of FortiSIEM are at risk, and patches have been released for versions 7.0.3, 7.1.3, and 6.7.9. Additional patches for versions 7.2.0, 6.6.5, 6.5.3, and 6.4.4 are expected soon. Users are strongly advised to apply these patches promptly to mitigate the risk of exploitation. Alongside updating to the latest versions, it is recommended to follow best practices for securing SIEM deployments, such as restricting access to the management interface and regularly auditing system configurations.
Organizations using Fortinet FortiSIEM should prioritize updating their systems and review logs for any unusual activity, particularly in the file /opt/phoenix/logs/phoenix.logs, which might contain critical information related to the phMonitor service. Addressing this vulnerability promptly is crucial to safeguarding sensitive data and maintaining the integrity of network systems against potential exploitation.
Reference:
